It Happened Again (Part 4): EDPB and EDPS Response to the New SCCs
Should organisations use a risk-based approach for EU data transfers?
On 14 January, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their joint opinion on the draft modernised standard contractual clauses (SCCs) released by the European Commission in November 2020. The joint opinion, adopted the day after its release, comprises the final step in the adoption process for the SCCs before they are voted on at the committee stage involving all the Member States. The Commission has stated that it hopes to have the new transfer tool adopted around March after digesting the joint opinion and the feedback submitted during the period for public consultation.
The SCCs are part of the numerous pieces of work from the EU as a consequence of the ECJ’s seminal Schrems II judgment in July 2020, of which drastically changed the rules on personal data transfers out of the Union. In that judgment, the Court, while invalidating the EU-US Privacy Shield, held that the SCCs as a transfer tool were valid for that purpose under Article 46 EU GDPR. However, organisations relying on this tool must, on a case-by-case basis, assess whether the effectiveness of the tool is maintained under the law of the third country to where the personal data are being transferred (of which has come to be known as a transfer impact assessment, or TIA). See the first post in this blog series for a more detailed account of the Schrems II decision.
Thus, if the local law of the third country prevents the data importer from complying with its obligations under the SCCs, then the requirement to provide appropriate safeguards under Article 46 cannot be met, rendering the transfer tool ineffective. Where the implementation of supplementary measures does not sufficiently make up for such deficiencies, then the data transfer must be suspended. The EDPB has published its recommended supplementary measures, although these are also yet to be formally adopted (see the third post in this blog series for a more detailed account on the EDPB recommendations).
Transfer Impact Assessments and State Surveillance
There is one significant issue highlighted in the EDPB/EDPS joint opinion in relation to the completion of the TIA. In the previous post in this blog series on Schrems II, there was reference made to the differing standards for the TIA in the EDPB recommendations and the Commission’s modernised SCCs. This specifically concerns the local law of the third country permitting public authorities to request access to personal data transferred to the data importer and whether such requests are compliant with the requirements under the EU Charter.
The EDPB stated that only objective factors should be taken into account for this, such as any reported precedents, practice, legal powers or resources demonstrating that an authority can access data either through the data importer directly or by intercepting communication channels. Contrastingly, more subjective factors, such as the likeliness of authorities requesting access to data, should not be considered.
However, under Clause 2(b)(i) of the draft SCCs, the “practical experience” of the data importer in relation to data access requests from public authorities may be taken into account. This thus implies that, if a data importer has received very few or even no data requests from public authorities, then it may be reasonable to conclude that there is a low risk of such requests being made in the future. As such, “a data controller whose processing is relatively low risk may not have to do as much to comply with its legal obligations as a data controller whose processing is high risk”.[1] In other words, the data exporter can more easily justify the transfer of personal data if there is a low possibility of public authorities in the third country of destination requesting access to that data in a way that contravenes the EU Charter or prevents the data importer from complying the SCCs.
In addition, this approach would appear to be inline with the GDPR. Article 24, which puts ultimate responsibility for compliance with the Regulation on the data controller, states that such compliance work should be carried out taking into account, among other things, the risks of varying likelihood and severity.
This apparent difference in approach between the EDPB and the Commission has now been addressed in the EDPB/EDPS joint opinion adopted last month. Among its recommendations are the abolition of the risk-based approach inferred by the SCCs. Accordingly, the EDPB and the EDPS suggest that the objective factors detailed in the EDPB recommendations should be used instead, ignoring any subjective factors like the “practical experience” of the data importer.
Therefore, if the importer falls within the scope of the surveillance laws of a third country, then this will be enough to constitute the risk of unlawful data access requests from public authorities. According to the EDPB and the EDPS, it thus does not matter if the importer has never received such a request in the past or is likely to receive a request in the future given the nature of the transfer or the type of personal data it holds. Accordingly, the EDPB and EDPS have suggested that the reference to the practical experience of the data importer mentioned in Clause 2(b)(i) in the draft SCCs should be deleted by the Commission before being formally adopted.
The Objective Approach
The objective approach advocated by the EDPB and the EDPS has its basis in a number of stipulations made by the ECJ in Schrems II. Firstly, the Court stated that the purpose of the data transfer rules under the GDPR is to ensure that the high level of protection of personal data of EU citizens under the Regulation (and the EU Charter) is maintained no matter where personal data may be transferred to.[2] This means that there must be an adequate level of protection that is essentially equivalent to that under EU law regardless of the transfer mechanism being used under the GDPR.[3] The ECJ thus made clear that the use of SCCs must provide an adequate level of protection.
Secondly, the Court elaborated on the exact role that SCCs play in providing this adequate level of protection; such a transfer tool, as per Recital (108) GDPR, must compensate for the lack of data protection in a third country in order to ensure compliance with data protection requirements and the rights of the data subjects.[4] Thus, the transfer tools under Article 46 must be used in a way that make up for the deficiencies in the data protection law of the third country. As such, the TIA must take into account the content of the SCCs and whether such clauses, if followed, can make up for the deficiencies.
Thirdly, in making up for those deficiencies, the Court found that there may be scenarios in which the SCCs alone “might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data”.[5] This is particularly the case where the law of the third country “allows its public authorities to interfere with the rights of the data subjects to which that data relates”.[6] For example, as stipulated previously by the ECJ in the Watson Case, EU law precludes “legislation which, for the purpose of fighting serious crime, provides for the general and indiscriminate retention of all traffic data and location data of all subscribers and registered users relating to all means of electronic communication”.[7] This was held to be an unlawful interference with the right privacy and the right to data protection under Articles 7 and 8 of the EU Charter.
Fourthly, the Court clarified that “the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated”.[8] Furthermore, there is still an interference in relation to “the retention of personal data and access to that data with a view to its use by public authorities, irrespective of whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference”.[9]
Taking these stipulations into account, the EDPB and the EDPS can argue that the Schrems II judgment supports only an objective approach to the completion of a TIA. Accordingly, if a data importer merely falls within the scope of legislation of a third country that permits public authorities to access personal data received by the importer in a way that infringes EU law, then this can be enough to render the SCCs ineffective in practice and thus failing to provide an adequate level of protection as provided under the GDPR.
The Subjective or Risk-Based Approach
In the alternative, the argument of the European Commission that subjective factors should also be considered for the TIA relies on a specific stipulation of the ECJ in Schrems II. That particular stipulation was made in relation to the responsibility of supervisory authorities (SAs) in the EU to determine whether an organisation using SCCs for data transfers has complied with the GDPR. It was held by the Court that SAs must suspend or prohibit transfers on the basis of Commission-adopted SCCs if
“in its view and in light of all the circumstances of that transfer, those clauses are not or cannot be complied with in [the] third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer” (emphasis added).[10]
In addition, even the EDPB-recommended steps in complying with the Schrems II judgment involves assessing whether the Article 46 transfer tool being relied on is effective in light of all the circumstances of the transfer.[11] Moreover, the EDPB refers to, in the context of TIAs, the need consider the “context” and the “characteristics” of the specific transfer in question.[12] The recommendations further suggest that “the rule of law situation in a third country” may also be considered for the TIA.
Such language, both by the ECJ and the EDPB, implies a more subjective approach that requires an assessment to be made on part of the data exporter and importer to determine whether (a) there is a risk to the rights of data subjects and (b) what measures should be implemented to remediate those risks (if possible). Contrastingly, the objective approach would seem to suggest that, if the infringing surveillance laws of the third country applies to the transfer, then this essentially brings the risk assessment to an end at step (a) and thus the transfer cannot conducted.
This is not, however, how the ECJ nor the EDPB has shaped its analysis and guidance. The TIA comprises multiple elements, including assessing the surveillance laws of the third country against the European Essential Guarantees (EEGs). These EEGs specify the requirements that surveillance laws must meet to comply with the EU Charter. The EDPB recommendations state, however, that if the surveillance laws do not meet all of the EEGs, then this merely means that it is unlikely that an adequate level of protection cannot be provided in the transfer.[13] Thus, the EDPB suggests that organisations should go on to determine whether the obligations under the SCCs can be fully complied with under the law of the third country. Therefore, the TIA must be specific to the transfer, taking into account its characteristics and all the circumstances to determine whether the SCCs are, in practice, effective.
As such, the aforementioned structure of the TIA would appear to be more inline with the risk-based approach contained in the GDPR. This seems to be the case despite the argument put forward by None of Your Business (NOYB), a non-profit organisation focusing on privacy issues in Europe of which Maximillian Schrems is the Honorary Chairman. It has stated that the “risk-based approach” was “implemented only in certain elements of the GDPR”, such as in the data security provisions (Article 32), and not in Chapter V containing the rules on data transfers.[14] This is because the “EU legislators adapted and scaled certain obligations and requirements of the GDPR on the basis of the risk for the individuals”.[15] Therefore, the risk-based approach cannot be read into the provisions of Chapter V and thus Article 46 does not indicate “that a transfer may take place when it presents a low risk”.[16]
However, it is not necessary for one to read the risk-based approach into the data transfer rules as the GDPR already mandates this approach under Article 24. That provision states that the data controller must implement the appropriate technical and organisational measures to ensure and demonstrate compliance with the Regulation taking into account the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals.
As such, the TIA requires the data exporter and importer to implement the appropriate supplementary measures according to the deficiencies identified in the law of the third country. Therefore, there would seem to be an alignment between one of the central requirements of the GDPR under Article 24 and how the EDPB itself, as well as the ECJ, suggests organisations complete the TIA and ensure that data transfers provide an adequate level of protection essentially equivalent to EU law. Thus, the “practical experience” of the data importer would appear to be highly relevant in order to determine the level of risk arising from the particular transfer question, from which the appropriate measures can be implemented.
Paramount Technicalities
If current the differences between the Commission and the EDPB remain evident in their respective documents after adoption, the approach in the SCCs would prevail. This is due to the fact that, when organisations accede to the SCCs, they become binding on the acceding parties who will thus will be required to follow the risk-based/subjective approach for the TIA. The EDPB recommendations, on the other hand, are not binding in the same way (although they will remain important nevertheless as they will represent the views of all the SAs from each Member State in the EU).
It might be tempting to view the debate over the objective/subjective approach to be taken with the TIA as merely technical and thus insignificant. However, the opposite is true. If the Commission’s SCCs green light the risk-based approach for data transfers, this may provide the sufficient amount of wiggle room needed for companies to justify data transfers from the EU to the US despite the importer falling within the scope of the Foreign Intelligence Surveillance Act of 1978 (FISA); if the importer has received no directives under this law from the NSA, then the transfer can be categorised as a low(er) risk and so may be carried out. This could potentially have a notable influence on the legacy of Schrems II. It will therefore be interesting to see whether the Commission and EDPB will be able to find a happy compromise, or just stay in their corners.
[1] Article 29 Data Protection Working Party, Statement on the role of a risk-based approach in data protection legal frameworks (adopted 20 May 2014), p.2.
[2] Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited [2020] ECLI:EU:C:2020, para. 93.
[3] Ibid, para. 92.
[4] Ibid, para. 95.
[5] Ibid, para. 126.
[6] Ibid.
[7] Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson & Others [2016] ECLI:EU:C:2016:970, para. 112.
[8] Schrems II (n 2), para. 171.
[9] Ibid.
[10] Ibid, para. 146.
[11] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data (10 November 2020), p.12.
[12] Ibid, paras. 30 and 32.
[13] Ibid, para. 41
[14] NYOB’s Comments on EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data <https://noyb.eu/files/CJEU/noyb_EDPBGuidance_additional_measures.pdf> accessed November 2020, 9.
[15] Ibid.
[16] Ibid.
Other Sources:
Raphaël Gellert, The Risk-Based Approach to Data Protection (OUP 2020)
Federico Fabbrini et al (eds), Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty (Hart Publishing 2021)
Data transfers: Questions and answers abound, yet solutions elude